BestHub
Sign in
Databases 8 min read

Secure Sensitive Data in ShardingSphere: Quick Start Guide for Spring

This tutorial explains why encrypting sensitive fields like ID numbers and bank cards is required, outlines common pain points, and shows how to configure ShardingSphere's data‑desensitization module using Spring namespace or Spring Boot with full code examples and configuration files.

Programmer DD
Programmer DD
Programmer DD
Secure Sensitive Data in ShardingSphere: Quick Start Guide for Spring

In real business scenarios, databases often store sensitive customer information such as ID numbers, bank card numbers, names, and phone numbers, which must be encrypted to meet compliance requirements.

Pain Point One

Typical solutions require developers to manually encrypt fields in SQL statements and manually decrypt them on query, which is cumbersome and tightly couples business logic with compliance details.

Pain Point Two

For systems that were launched without data‑desensitization, a fast way is needed to meet compliance without extensive code changes, usually involving adding desensitized columns, migrating data, and adding compatibility logic.

ShardingSphere provides a data‑desensitization module that parses and intercepts user SQL, rewrites it according to user‑defined rules, and transparently encrypts/decrypts fields, achieving seamless secure storage and query.

Desensitization Configuration Quick Start – Spring Namespace

The following steps show how to quickly enable desensitization in a Spring application.

1. Add Dependency

<!-- for spring namespace -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-namespace</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>

2. Create Desensitization Rule Object

Before creating the data source, prepare an EncryptRuleConfiguration with AES encryption for two tables card_info and pay_order:

private EncryptRuleConfiguration getEncryptRuleConfiguration() {
    Properties props = new Properties();
    // AES algorithm requires a key
    props.setProperty("aes.key.value", aeskey);
    EncryptorRuleConfiguration encryptorConfig = new EncryptorRuleConfiguration("AES", props);

    EncryptRuleConfiguration encryptRuleConfig = new EncryptRuleConfiguration();
    encryptRuleConfig.getEncryptors().put("aes", encryptorConfig);

    // card_info table configuration
    {
        EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "name", "", "aes");
        EncryptColumnRuleConfiguration columnConfig2 = new EncryptColumnRuleConfiguration("", "id_no", "", "aes");
        EncryptColumnRuleConfiguration columnConfig3 = new EncryptColumnRuleConfiguration("", "finshell_card_no", "", "aes");
        Map<String, EncryptColumnRuleConfiguration> columnConfigMaps = new HashMap<>();
        columnConfigMaps.put("name", columnConfig1);
        columnConfigMaps.put("id_no", columnConfig2);
        columnConfigMaps.put("finshell_card_no", columnConfig3);
        EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
        encryptRuleConfig.getTables().put("card_info", tableConfig);
    }

    // pay_order table configuration
    {
        EncryptColumnRuleConfiguration columnConfig1 = new EncryptColumnRuleConfiguration("", "card_no", "", "aes");
        Map<String, EncryptColumnRuleConfiguration> columnConfigMaps = new HashMap<>();
        columnConfigMaps.put("card_no", columnConfig1);
        EncryptTableRuleConfiguration tableConfig = new EncryptTableRuleConfiguration(columnConfigMaps);
        encryptRuleConfig.getTables().put("pay_order", tableConfig);
    }

    log.info("Desensitization configuration built: {}", encryptRuleConfig);
    return encryptRuleConfig;
}

Explanation:

The first two parameters of EncryptColumnRuleConfiguration are plainColumn and cipherColumn. For new systems only the cipher column needs to be set, so the example uses an empty string for plainColumn.

The map passed to EncryptTableRuleConfiguration contains the column configurations; the key is the logical column name, which ShardingSphere maps to the actual stored column during SQL rewrite.

3. Use ShardingSphere Data Source

Wrap the original data source with the encryption data source:

@Bean("tradePlatformDataSource")
public DataSource dataSource(@Qualifier("druidDataSource") DataSource ds) throws SQLException {
    return EncryptDataSourceFactory.createDataSource(ds, getEncryptRuleConfiguration(), new Properties());
}

Desensitization Configuration Quick Start – Spring Boot

Using Spring Boot, the configuration can be done entirely via properties.

1. Add Dependencies

<!-- for spring boot -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-boot-starter</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>
<!-- for spring namespace -->
<dependency>
    <groupId>org.apache.shardingsphere</groupId>
    <artifactId>sharding-jdbc-spring-namespace</artifactId>
    <version>${sharding-sphere.version}</version>
</dependency>

2. Spring Configuration File

spring.shardingsphere.datasource.name=ds
spring.shardingsphere.datasource.ds.type=com.alibaba.druid.pool.DruidDataSource
spring.shardingsphere.datasource.ds.driver-class-name=com.mysql.jdbc.Driver
spring.shardingsphere.datasource.ds.url=jdbc:mysql://host:port/db
spring.shardingsphere.datasource.ds.username=root
spring.shardingsphere.datasource.ds.password=******

# Default AES encryptor
spring.shardingsphere.encrypt.encryptors.encryptor_aes.type=aes
spring.shardingsphere.encrypt.encryptors.encryptor_aes.props.aes.key.value=YOUR_AES_KEY

# card_info table encryption
spring.shardingsphere.encrypt.tables.card_info.columns.name.cipherColumn=name
spring.shardingsphere.encrypt.tables.card_info.columns.name.encryptor=encryptor_aes
spring.shardingsphere.encrypt.tables.card_info.columns.id_no.cipherColumn=id_no
spring.shardingsphere.encrypt.tables.card_info.columns.id_no.encryptor=encryptor_aes
spring.shardingsphere.encrypt.tables.card_info.columns.finshell_card_no.cipherColumn=finshell_card_no
spring.shardingsphere.encrypt.tables.card_info.columns.finshell_card_no.encryptor=encryptor_aes

# pay_order table encryption
spring.shardingsphere.encrypt.tables.pay_order.columns.card_no.cipherColumn=card_no
spring.shardingsphere.encrypt.tables.pay_order.columns.card_no.encryptor=encryptor_aes

After these steps, ShardingSphere will automatically encrypt the specified columns on insert and decrypt them on query, providing transparent data‑desensitization.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

javaspringShardingSphereDatabase Securitydata encryption
Programmer DD
Written by

Programmer DD

A tinkering programmer and author of "Spring Cloud Microservices in Action"

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment